CVE-2007-4879 Information

Description

Mozilla Firefox before Firefox 2.0.0.13 and SeaMonkey before 1.1.9 can automatically install TLS client certificates with minimal user interaction and automatically sends these certificates when requested which makes it easier for remote web sites to track user activities across domains by requesting the TLS client certificates from other domains.

Reference

http://0x90.eu/ff_tls_poc.html http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00002.html http://secunia.com/advisories/29526 http://secunia.com/advisories/29539 http://secunia.com/advisories/29541 http://secunia.com/advisories/29547 http://secunia.com/advisories/29558 http://secunia.com/advisories/29560 http://secunia.com/advisories/29616 http://secunia.com/advisories/29645 http://secunia.com/advisories/30327 http://secunia.com/advisories/30620 http://sunsolve.sun.com/search/document.do?assetkey=1-26-238492-1 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0128 http://www.debian.org/security/2008/dsa-1532 http://www.debian.org/security/2008/dsa-1534 http://www.debian.org/security/2008/dsa-1535 http://www.gentoo.org/security/en/glsa/glsa-200805-18.xml http://www.mandriva.com/security/advisories?name=MDVSA-2008:080 http://www.mozilla.org/security/announce/2008/mfsa2008-17.html http://www.securityfocus.com/archive/1/490196/100/0/threaded http://www.securityfocus.com/bid/28448 http://www.securitytracker.com/id?1019704 http://www.ubuntu.com/usn/usn-592-1 http://www.us-cert.gov/cas/techalerts/TA08-087A.html http://www.vupen.com/english/advisories/2008/0998/references http://www.vupen.com/english/advisories/2008/1793/references https://bugzilla.mozilla.org/show_bug.cgi?id=395399